Remote data mirroring system

ABSTRACT

A method for data protection includes accepting data for storage from one or more data sources ( 24 ). The data is sent for storage in a primary storage device ( 28 ) and in a secondary storage device ( 32 ). While awaiting an indication of successful storage of the data in the secondary storage device, a record associated with the data is temporarily stored in a disaster-proof storage unit ( 48 ) adjacent to the primary storage device. When an event damaging at least some of the data in the primary storage device occurs, the data is reconstructed using the record stored in the disaster-proof storage unit and at least part of the data stored in the secondary storage device.

CROSS-REFERENCE TO PRIOR APPLICATION

The above-referenced application is the U.S. National Phase ofInternational Patent Application No. PCT/IL2006/000453, filed Apr. 10,2006, which claims priority from U.S. Provisional Application Nos.60/673,664, filed Apr. 20, 2005 and 60/729,112, filed Oct. 20, 2005,which are incorporated by reference herein.

FIELD OF THE INVENTION

The present invention relates generally to data protection systems, andparticularly to methods and systems for protecting mirrored data againstdisaster events using disaster-proof temporary storage devices.

BACKGROUND OF THE INVENTION

Various methods and systems are known in the art for protecting data incomputer systems against disasters such as earthquakes, storms, floods,fires and terrorist attacks. Some solutions involve replicating(mirroring) the data in a primary and a secondary storage device.

For example, EMC Corporation (Hopkinton, Mass.) offers a family ofremote storage replication solutions called Symmetrix Remote DataFacility (SRDF) for disaster recovery and business continuity. The SRDFproduct family includes both synchronous and asynchronous solutions.Further details regarding the SRDF products are available atwww.emc.com/products/networking/srdf.jsp.

As another example, IBM Corporation (Armonk, N.Y.) offers a number ofbusiness continuity solutions, including mirroring products. Furtherdetails regarding these products are available atwww-03.ibm.com/servers/storage/solutions/business_continuity.

SUMMARY OF THE INVENTION

Some known data protection applications use synchronous mirroringmethods, in which a transaction is considered complete only after bothprimary and secondary storage devices successfully store the data. Thisrequirement introduces significant latency into the transaction, inparticular when the secondary site is located far away from the primarysite. In some cases, the maximum tolerable latency limits the maximumseparation between the primary and secondary sites.

In order to reduce the transaction latency and enable large separationbetween the primary and secondary sites, some known data protectionapplications use asynchronous mirroring methods, in which thetransaction is acknowledged as soon as the data is successfully storedin the primary storage device. The interaction with the secondarystorage device may be continued in parallel. However, asynchronousmirroring does not provide guaranteed storage of the data in thesecondary storage device, and in some cases data may be lost in theevent of disaster.

In view of these shortcomings of synchronous and asynchronous mirroringmethods, embodiments of the present invention provide improved methodsand systems for data protection. The methods, systems and devicesdescribed hereinbelow enable guaranteed low latency data mirroring atboth primary and secondary storage devices, regardless of the latencyand/or separation between the storage devices. The data to be protectedmay be received from one or more data sources, such as informationtechnology (IT), telephony, security and surveillance systems.

In some embodiments, data is sent for storage in primary and secondarystorage devices. A record related to the data is temporarily cached in asecure storage device until the data is successfully stored in thesecondary storage device. In some embodiments, the secure storage deviceis constructed so as to withstand disaster events while protecting thecached data. In the context of the present patent application and in theclaims, a storage device is considered to be “disaster-proof” if it isdesigned so that the data it stores will, with high probability, remainintact and fully recoverable even under conditions typical of disasterevents, such as the events listed above and similar events. Suchconditions may cause destruction of computer equipment or data stored insuch equipment in proximity to the storage device.

If an event affecting at least some of the data occurs, the securestorage device is recovered and the records cached in it are used toreconstruct the data in the secondary storage devices.

In some embodiments, the data protection system uses one or moreenvironmental sensors for early detection of a developing or approachingdisaster event. Methods for further improving data protection usingearly disaster detection are described hereinbelow.

There is therefore provided, in accordance with an embodiment of thepresent invention, a method for data protection, including:

accepting data for storage from one or more data sources;

sending the data for storage in a primary storage device and in asecondary storage device;

while awaiting an indication of successful storage of the data in thesecondary storage device, temporarily storing a record associated withthe data in a disaster-proof storage unit adjacent to the primarystorage device; and

when an event damaging at least some of the data in the primary storagedevice occurs, reconstructing the data using the record stored in thedisaster-proof storage unit and at least part of the data stored in thesecondary storage device.

In an embodiment, temporarily storing the record includes sending anacknowledgement to the one or more data sources responsively to asuccessful caching of the record in the disaster-proof storage unit,without waiting to receive the indication of the successful storage ofthe data in the secondary storage device, so as to reduce a transactionlatency associated with the storage of the data.

Additionally or alternatively, temporarily storing the record includesreceiving an acknowledgement from the secondary storage deviceacknowledging the successful storage of the data in the secondarystorage device, and deleting the record from the disaster-proof storageunit responsively to the acknowledgement.

In another embodiment, reconstructing the data includes retrieving thedisaster-proof storage unit following the event, extracting the recordfrom the disaster-proof storage unit and writing the data associatedwith the record to the secondary storage device. Writing the data mayinclude remotely connecting the disaster-proof storage unit to thesecondary storage device.

In yet another embodiment, the disaster-proof storage unit includes aremovable memory device for holding the record, and reconstructing thedata includes, when the disaster-proof storage unit is damaged by theevent, removing the memory device from the disaster-proof storage unitand installing the memory device in another unit for readout of therecord.

In still another embodiment, the method includes detecting the eventusing a detection mechanism in the disaster-proof storage unit, andmodifying operation of the disaster-proof storage unit responsively todetecting the event. Detecting the event may include detecting at leastone of a loss of external electrical power supply and a communicationfailure at the disaster-proof storage unit. In an embodiment, modifyingthe operation includes transmitting the record from the disaster-proofstorage unit over a wireless communication link.

In another embodiment, temporarily storing the record includes storingthe record in two or more disaster-proof storage units, and transmittingthe record includes transmitting two or more different parts of therecord respectively from the two or more disaster-proof storage unitsover respective wireless links so as to shorten a transmission time ofthe record.

In yet another embodiment, modifying the operation includes transmittinga homing signal from the disaster-proof storage unit, so as to enablelocation and retrieval of the disaster-proof storage unit.

In an embodiment, reconstructing the data includes:

sensing an environmental condition using an environmental sensor;

predicting the event responsively to the sensed environmental condition;and

after predicting the event, transmitting the record from thedisaster-proof storage unit using at least one of a wired connection anda wireless connection.

Sensing the environmental condition may include accepting a manualindication from a user that indicates the event.

In an embodiment, temporarily storing the record includes sending anacknowledgement message responsively to a successful storage of therecord in the disaster-proof storage unit, and, after predicting theevent, refraining from sending subsequent acknowledgement messages so asto avoid accepting additional data from the one or more data sources.

In another embodiment, after predicting the event, the method includesrefraining from sending subsequent data for storage in the primarystorage device. Additionally or alternatively, after predicting theevent, the method includes temporarily storing in the disaster-proofstorage unit only subsequent records associated with data originatingfrom a subset of the one or more data sources.

In still another embodiment, temporarily storing the record includesavoiding exceeding a memory capacity in the disaster-proof storage unitby matching the memory capacity with at least one of a maximum allowedsize of data pending for acknowledgement by the secondary storage deviceand a maximum number of write commands pending for storage in thesecondary storage device.

Additionally or alternatively, temporarily storing the record includesincluding in the record additional information related to the data, theadditional information includes at least one of an address of anoriginating data source, an address of the primary storage device, atime stamp indicating an acceptance time of the data and a storageaddress intended for the data in the primary storage device.

There is additionally provided, in accordance with an embodiment of thepresent invention, a method for data protection, including:

accepting data for storage from one or more data sources;

sending the data for storage in a storage device;

temporarily storing records associated with at least part of the datathat is relevant to investigation of disaster events in a disaster-proofstorage unit; and

when an event damaging at least some of the data in the storage deviceoccurs, investigating the event using the records stored in thedisaster-proof storage unit.

In an embodiment, the at least part of the data that is relevant toinvestigation of disaster events includes at least one of surveillanceimages, access control information and data originating from a telephonysystem. Additionally or alternatively, the at least part of the datathat is relevant to investigation of disaster events includes dataaccepted at a time immediately preceding an occurrence of the event.

There is also provided, in accordance with an embodiment of the presentinvention, a method for data protection, including:

accepting data from a data source for storage in a primary storagedevice;

periodically sending the data for backup in a backup storage device bymeans of a sequence of backup operations;

temporarily storing in a disaster-proof storage unit records associatedwith at least part of the data that is accepted during a time intervalbetween successive backup operations in the sequence; and

when an event damaging at least some of the data in the primary storagedevice occurs during the time interval, reconstructing the data usingthe records stored in the disaster-proof storage unit.

There is further provided, in accordance with an embodiment of thepresent invention, a method for data protection, including:

accepting data for storage from a data source;

sending the data for storage in a primary storage device, whilemirroring the data in a secondary storage device;

temporarily storing at least part of the data in a disaster-proofstorage unit at a site of the primary storage device; and

when an event damaging at least some of the data in the primary storagedevice occurs at the site, reconstructing the data using the at leastpart of the data stored in the disaster-proof storage unit.

There is also provided, in accordance with an embodiment of the presentinvention, a system for data protection, including:

one or more data sources, which are arranged to send data for storage;

primary and secondary storage devices, which are arranged to hold thedata;

a disaster-proof storage unit adjacent to the primary storage device,which is arranged to temporarily store a record associated with the datawhile awaiting an indication of a successful storage of the data in thesecondary storage device, and when an event damaging at least some ofthe data in the primary storage device occurs, to provide the record soas to enable reconstruction of the data using the record stored in thedisaster-proof storage unit and at least part of the data stored in thesecondary storage device.

In an embodiment, the system includes:

an environmental sensor, which is arranged to sense an environmentalcondition in a vicinity of the primary storage device; and

a processor, which is arranged to predict the event responsively to thesensed environmental condition and, after predicting the event, toinstruct the disaster-proof storage unit to transmit the record using atleast one of a wired connection and a wireless connection.

There is additionally provided, in accordance with an embodiment of thepresent invention, apparatus for protecting data sent for storage inprimary and secondary storage devices, including:

a disaster-proof storage unit, which includes:

a disaster-proof enclosure, which is arranged to protect componentscontained therein against disaster events;

a memory device contained in the enclosure, which is arranged totemporarily hold a record associated with the data while awaiting anindication of successful storage of the data in the secondary storagedevice; and

a control unit, which is arranged, when an event damaging at least someof the data in the primary storage device occurs, to provide the recordso as to enable reconstruction of the data using the record stored inthe memory device and at least part of the data stored in the secondarystorage device;

a sensor, which is arranged to sense an environmental condition in avicinity of the primary storage device; and

a protection processor, which is arranged to predict the eventresponsively to the sensed environmental condition and, responsively topredicting the event, to instruct the disaster-proof storage unit totransmit the record so as to protect the data.

There is also provided, in accordance with an embodiment of the presentinvention, a computer software product for data protection, the productincluding a computer-readable medium, in which program instructions arestored, which instructions, when read by a computer, cause the computerto accept data from one or more data sources sent for storage in primaryand secondary storage devices, and to temporarily store a recordassociated with the data in a disaster-proof storage unit adjacent tothe primary storage device, while awaiting an indication of successfulstorage of the data in the secondary storage device.

The present invention will be more fully understood from the followingdetailed description of the embodiments thereof, taken together with thedrawings in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1C are block diagrams that schematically illustrate systems fordata protection, in accordance with embodiments of the presentinvention;

FIG. 2 is a block diagram that schematically illustrates a securestorage unit, in accordance with an embodiment of the present invention;

FIG. 3 is a schematic, pictorial illustration of a secure storage unit,in accordance with an embodiment of the present invention; and

FIGS. 4 and 5 are flow charts that schematically illustrate methods fordata protection, in accordance with embodiments of the presentinvention.

DETAILED DESCRIPTION OF EMBODIMENTS

In a typical synchronous mirroring transaction, a mirroring applicationaccepts a write command from a requesting application. The commandtypically comprises a storage instruction indicating data to be storedand the memory location in which to store it. In response, the mirroringapplication issues write commands to both the primary and secondarystorage devices. The mirroring application waits until both storagedevices store the data. Only when acknowledgements are received fromboth storage devices, the mirroring application acknowledges the writecommand to the requesting application, and only then the command isconsidered successful.

On one hand, synchronous mirroring methods offer a high level ofreliability because they guarantee that the data is successfully storedin both storage devices before the write command is regarded ascompleted. On the other hand, the latency associated with synchronouswrite operations is often problematic, in particular when the secondarystorage device is located far away from the mirroring application. (Inthe description that follows, it is assumed that the primary storagedevice and the mirroring application are both located at a primary siteadjacent to the requesting application. The secondary storage device isassumed to be located at a distant, secondary site. Although thisconfiguration is common in many practical systems, the embodimentsdescribed hereinbelow may be adapted for use in any other geographicallayout of the system, as well.)

Since, in a synchronic transaction, the requesting application does notreceive an acknowledgement of the write command until an acknowledgementis received from the secondary storage device, the entire transaction isdelayed by at least the round-trip propagation delay between themirroring application and the secondary site.

In many practical cases, the secondary storage device is locatedhundreds of miles away from the primary site. Moreover, thecommunication path connecting the mirroring application with thesecondary storage device may comprise various network elements, linksand other communication media which introduce additional latency.Acknowledgement mechanisms in the communication protocols used furtherincrease the latency. In some cases, the overall round-trip delay canreach one minute or more. Such latency often degrades the systemperformance, and may be prohibitive in some applications. In some cases,the maximum latency that can be tolerated limits the distance betweenthe primary and secondary site, thereby degrading the disasterresilience of the system.

In order to overcome the latency and distance limitations associatedwith synchronous mirroring, some known data protection methods useasynchronous mirroring methods. In a typical asynchronous mirroringtransaction, the requesting application issues a write command to themirroring application. The mirroring application sends a write commandto the primary storage device, and in addition caches the command in itslocal memory. As soon as the mirroring application receives anacknowledgment from the primary storage device, it acknowledges thesuccessful completion of the operation to the requesting application,and the command is considered successful. At some stage of the process,the mirroring application sends a write command to the secondary storagedevice. When the secondary storage device performs and acknowledges thecommand, the mirroring application deletes the cached command from itslocal memory.

In an asynchronous transaction, only the latency associated with theprimary storage device is felt by the requesting application. Theinteraction between the mirroring application and the secondary storagedevice often occurs after the requesting application has alreadyreceived an acknowledgement and has considered the write operationsuccessfully completed.

Thus, when using asynchronous mirroring, the transaction latency is notaffected by the distance to the secondary storage device, enabling anydistance to be used. On the other hand, asynchronous mirroring does notoffer guaranteed storage at both storage devices. If a disaster eventoccurs before the interaction with the secondary storage device iscompleted, the last write commands to the secondary storage device maybe lost. In other words, all the data for which an acknowledgement wasreceived from the primary storage device, but not from the secondarystorage device, is assumed to be lost.

In view of the shortcomings of synchronous and asynchronous mirroringmethods, as described above, embodiments of the present inventionprovide improved methods and systems for data protection. The methods,systems and devices described hereinbelow enable guaranteed low latencydata mirroring at both storage devices, regardless of the distanceand/or latency associated with storage in the secondary storage device.

System Description

FIG. 1A is a block diagram that schematically illustrates a system 20for protecting data of an organization against disaster events, inaccordance with an embodiment of the present invention. Disaster eventsmay comprise any event that affects the organization, and in particularthe data storage of the organization. A disaster event may comprise, forexample, an earthquake, a storm, a fire, a flood or a terrorist attack.In some cases, a system failure, such as a computer system failure or apower outage that affects the data storage of the organization, can alsobe regarded as a disaster event.

Different organizations have different data types that should beprotected in the event of a disaster. For example, an informationtechnology (IT) system may use and/or produce data that is valuable tothe organization. Additionally or alternatively, data produced byvarious systems in the organization can be valuable for investigatingthe disaster event. For example, the source, destination and/or contentsof telephone conversations held immediately before or during thedisaster may prove valuable. As another example, information gatheredfrom security and surveillance systems before and during a terroristattack, such as video images and data acquired by access control systemsmay also be considered valuable.

System 20 stores data produced and/or used by one or more data sources24. In some embodiments, data sources 24 may comprise, for example, anapplication server of an information technology (IT) system of theorganization, a telephony system such as a Private Automatic BranchExchange (PABX) or telephony switch, a surveillance system of theorganization such as a closed-circuit television (CCTV) system, anaccess control system, and/or any other system that produces data.

In order to protect the data, system 20 mirrors (i.e., replicates) thedata and stores it in two or more storage devices. In some embodiments,system 20 comprises a primary storage device 28 and a secondary storagedevice 32. The two storage devices hold replicas of the organizationdata, in a configuration commonly known as a mirrored configuration.Storage devices 28 and 32 may comprise disks, magnetic tapes, computermemory devices, and/or devices based on any other suitable storagetechnology. In some embodiments, the storage devices comprise internalprocessors that perform local data storage and retrieval-relatedfunctions. Although the description that follows refers to two storagedevices, other implementations of system 20 may comprise a higher numberof storage devices. System 20 can be implemented using only a singlestorage device, for example for protecting the data acquired fromsecurity systems immediately before a terrorist attack.

Typically, the primary and secondary storage devices are physicallylocated at two separate sites. The sites are chosen to be sufficientlydistant from one another, so that a disaster event in one of the siteswill be unlikely to affect the other. In some embodiments, regulatoryrestrictions recommend a separation greater than 200 miles, although anyother suitable distance can also be used. In the example of FIG. 1A, theprimary storage device is collocated with the data sources at a localsite, and the secondary storage device is located at a remote site.

A mirroring application 36 performs mirroring of the data, i.e., storesreplicas of the data produced by data sources 24 in the primary and thesecondary storage devices. Typically, the mirroring application acceptswrite commands from data sources 24, the commands comprising or pointingto data to be stored. The mirroring application stores the data in theprimary and secondary storage devices, using methods which will bedescribed below. In the exemplary embodiment of FIG. 1A, the mirroringapplication runs on the CPU of the primary storage device.Alternatively, application 36 may run on a separate processor.

In some embodiments, the mirroring application acknowledges each writecommand to the originating data source 24 when it receives anacknowledgement from the primary storage device, without waiting for asimilar acknowledgement from the secondary storage device. Unlike knownasynchronous mirroring methods, in order to ensure that no data is lostuntil it is safely stored in the secondary storage device as well, themirroring application sends the data for temporary storage in one ormore secure storage units 48.

In some embodiments, a protection processor 44 is connected to mirroringapplication 36. (In the description that follows, the term “connected tothe mirroring application” is used to describe a connection for theexchange of data and control information with the processor or computingplatform running the mirroring application, whether the same as orseparate from the processor of the primary storage device.) In theexemplary system configuration of FIG. 1A, processor 44 emulates anadditional storage device connected to a port of mirroring application36. Alternative system configurations are shown in FIGS. 1B and 1Cbelow.

Processor 44 communicates with application 36 using a suitablecommunication link, such as an optical fiber link, an Internet Protocol(IP) link or a bus such as a peripheral component interconnect (PCI)bus. In order to enable small transaction latency, processor 44 istypically located adjacent to the mirroring application. The mirroringapplication is typically configured to forward every write command itaccepts, as well as any acknowledgments it receives, to processor 44.Processor 44 may communicate with application 36 using any suitableprotocol, such as the small computer systems interface (SCSI), networkfile system (NFS) and common internet file system (CIFS) protocols,which are commonly used for communication between servers and storagedevices.

Typically, processor 44 comprises a general-purpose computer, which isprogrammed in software to carry out the functions described herein. Thesoftware may be downloaded to the computer in electronic form, over anetwork, for example, or it may alternatively be supplied to thecomputer on tangible media, such as CD-ROM. In some embodiments,processor 44 may be implemented internally to the primary storagedevice.

Processor 44 is connected to one or more secure storage units 48. Insome embodiments, two or more units 48 are deployed at differentlocations at or around the primary site, so as to increase theprobability that a least one of them will survive a disaster event.Typically, for every write operation sent or to be sent to secondarystorage device 32, processor 44 stores a respective record in each ofunits 48. The record is cached in units 48 until an acknowledgementindicating successful storage is received from device 32. Once anacknowledgement of a particular write command is received from thesecondary storage device, processor 44 deletes the corresponding recordfrom units 48. Processor 44 may communicate with units 48 using anysuitable interface, such as a universal serial bus (USB) interface. Insome embodiments, units 48 are mapped as virtual storage drives ofprocessor 44. In some embodiments, the communication interface alsoprovides electrical power for powering the secure storage units.

In some embodiments, units 48 are constructed in a durable manner, so asto enable them to withstand disaster events while protecting the cacheddata. An exemplary mechanical construction of a secure storage unit isshown in FIG. 3 below.

After a disaster event hits the primary site, at least one of the securestorage units is retrieved. The records stored in the retrieved unitsare used to reconstruct the data in the secondary storage device. Insome embodiments, a recovery processor 56 is connected to the secondarystorage device. A retrieved secure storage unit is connected to therecovery processor. The recovery processor extracts the records storedin the unit and uses them to reconstruct the data in the secondarystorage device. Unlike known mirroring methods in which all the datalocated in the primary site is assumed to be destroyed by the disasterevent, the records stored in units 48, at or adjacent to the primarysite, survive and are used to reconstruct the data following the event.

As can be appreciated, the use of secure storage units 48 enables system20 to provide low latency write commands, regardless of the distance tothe secondary storage device. At the same time, the system providesguaranteed mirroring of the data at both storage devices. Typically, thedata can be recovered and reconstructed within a relatively short timeframe after retrieving at least one operational unit 48.

In some cases, some of the records stored in the retrieved unit 48correspond to data that was only assumed to be lost, but in reality waswritten successfully to the secondary storage device. In most practicalcases, however, no further action is required since rewriting data thatalready exists in the storage device does not affect the consistency ofthe data.

In some embodiments, the operation of the protection processor andsecure storage units is transparent to the mirroring application and tothe data sources. Thus, processor 44 and units 48 can be installed as anadd-on to a known mirroring application or other data protection system.

In order to provide a high level of protection and reliability, it isdesirable to avoid overflow in memory 60 of unit 48, so that records arenot lost. Generally, a record can be safely deleted from unit 48 whenthe corresponding write command has been successfully carried out by thesecondary storage device. There are several alternative methods ofindicating to protection processor 44 when it is permitted to delete arecord from unit 48, sometimes depending on the functionality of themirroring application.

In some embodiments, protection processor 44 may listen to theacknowledgement messages arriving from the secondary storage device.When an acknowledgement of a particular write command is received byprocessor 44, the processor deletes the corresponding record from unit48. However, in some system configurations it is complicated orotherwise undesirable to intercept the acknowledgement messages byprocessor 44.

Alternatively, it is sometimes possible to avoid overflow in unit 48 byduplicating the overflow avoidance policy of the mirroring application,without explicitly listening to the acknowledgement messages sent fromthe secondary storage device. For example, some mirroring applicationsmanage a finite size buffer of pending write commands, i.e., writecommands that were sent to the secondary storage device but are not yetacknowledged. When this buffer is full, the mirroring applicationrefuses to accept additional write commands from the data sources. Inthese embodiments, memory 60 of unit 48 can be dimensioned to hold atleast the same number of records as the maximum number of write commandsin the mirroring application buffer. Similarly, given a particular unit48 having a certain memory size, the mirroring application can beconfigured so that its buffer size matches the size of memory 60.Because the size of memory 60 and the size of the mirroring applicationbuffer are matched, when a new write command is sent to processor 44,the oldest record in unit 48 can be safely deleted.

Other mirroring applications are configured to allow a maximum number ofpending write commands, without necessarily holding a buffer. In otherwords, the mirroring application tracks the number of write commandssent to the secondary storage device and the number of acknowledgementsreceived, and maintains a current count of unacknowledged (i.e.,pending) write commands. When the number of pending write commandsreaches a predetermined limit, no additional write commands are acceptedfrom the data sources. In these embodiments, the size of memory 60 canbe dimensioned to match the maximum number of pending write commands.Alternatively, the mirroring application can be configured so that themaximum allowed number of pending write commands matches the size ofmemory 60.

Additionally or alternatively, any other suitable mechanism can be usedto avoid overflow in memory 60 by matching the size of memory 60 withthe maximum size of data pending to be acknowledged by the secondarystorage device.

In some embodiments, the data can be reconstructed quickly, withoutphysically connecting the retrieved unit 48 directly to the recoveryprocessor at the secondary storage site. Such embodiments may be useful,for example, in situations in which the secondary site is far away fromthe primary site (from which unit 48 was retrieved). In theseembodiments, the retrieved unit 48 is connected to a remote computer(not shown in the figure), which is remotely connected to recoveryprocessor 56 using any suitable communication link, such as over theInternet. The records stored in the retrieved unit are then transmittedvia the remote computer to the recovery processor.

In some embodiments, the records transmitted between the remote computerand the recovery processor are encrypted, so as to maintain datasecurity when communicating over wireless channels and over public mediasuch as the Internet. Typically, the records are already encrypted byprotection processor 44 before they are stored in unit 48. Any softwareneeded for extracting and/or transmitting the records may be stored inthe memory of unit 48 along with the records, so that any computerhaving Internet access (or other access means) and a suitable interfacefor connecting to unit 48 can be used as a remote computer.

In some embodiments, one or more environmental sensors 52 are installedat or near the primary storage device and connected to protectionprocessor 44. The sensors are used for sensing environmental conditions,which may provide early detection, or prediction, of a developingdisaster event. For example, sensors 52 may comprise temperature sensorsthat sense a rising temperature at or near the primary storage device.Additionally or alternatively, sensors 52 may comprise seismographicsensors that sense the vibrations associated with a developingearthquake. In some embodiments, one of sensors 52 may comprise a manualswitch or other input device that enables a user to manually indicate anapproaching disaster to the protection processor. The input device maybe located at the primary site, at the secondary site or at any othersuitable location. Further additionally or alternatively, sensors 52 maycomprise any other suitable sensor type that enables early prediction ofdeveloping disaster conditions. In some embodiments, system 20 uses theearly disaster detection to further improve the protection of the data.An exemplary method for data protection that uses early disasterdetection is shown in FIG. 5 below.

FIGS. 1B and 1C are block diagrams that schematically illustratealternative configurations of system 20, in accordance with embodimentsof the present invention. In the configuration of FIG. 1B, protectionprocessor 44 is introduced in-band, in the communication link connectingdata sources 24 with mirroring application 36. In this embodiment, allwrite commands from the data sources pass through processor 44. In theconfiguration of FIG. 1C, the protection processor is inserted incommunication link 40 connecting the mirroring application and thesecondary storage device. In this configuration, mirroring application36 performs synchronous mirroring to protection processor 44, andprocessor 44 performs asynchronous mirroring to secondary storage device32. Note that only one secure storage unit 48 is shown in FIGS. 1B and1C, and that sensors 52 and recovery processor 56 are omitted from thesefigures. These omissions are intended purely for the sake of simplicity,and any or all of these elements may be included in any of the systemconfigurations, as appropriate.

The system configurations of FIGS. 1A-1C are exemplary configurations.Other configurations will be apparent to those skilled in the art. Forexample, mirroring application 36 may be integrated with protectionprocessor 44 on a single computing platform. In some embodiments, one ormore secure storage units 48 can be used to protect the data of a singlestorage device, with no mirroring application. As another example, thefunctions of protection processor 44 and secure storage unit 48 can becarried out by a single disaster-proof unit, which may also carry outthe functions of mirroring application 36. The combined unit may beconstructed, for example, as a disaster-proof drawer or rack in theprimary site, or as a durable enclosure similar to the configuration ofFIG. 3 below.

The configurations of FIGS. 1A-1C also present several alternatives ofsynchronous and asynchronous mirroring protocols. For example, in FIG.1A, mirroring application 36 may perform synchronous mirroring toprotection processor 44, and asynchronous mirroring to secondary storagedevice 32. In FIG. 1C, however, the mirroring application performssynchronous mirroring to protection processor 44, and processor 44performs asynchronous mirroring to the secondary storage device.

FIG. 2 is a block diagram that schematically illustrates secure storageunit 48, in accordance with an embodiment of the present invention. Unit48 comprises a memory 60, which holds records corresponding to writecommands, as described above. Memory 60 may comprise, for example, anon-volatile memory device such as a flash device or an electricallyerasable programmable read only memory (EEPROM) device. Alternatively,memory 60 may comprise any other suitable non-volatile or battery-backedmemory device. Memory 60 may comprise one or more memory devices.

Unit 48 comprises a control unit 64, which performs the various datastorage and management functions of secure storage unit 48. Control unit64 may comprise a microprocessor running suitable software.Alternatively, control unit 64 may be implemented in hardware, or usinga combination of hardware and software elements. An interface circuit68, such as a USB interface circuit, handles the physical interfacebetween unit 48 and application 36. In embodiments in which supplyvoltage is provided to unit 48 from protection processor 44, circuit 68provides this voltage to the various elements of unit 48.

In some embodiments, unit 48 comprises a homing device 72, coupled to ahoming antenna 74. Homing device 72 comprises a transmitter ortransponder, which transmits a radio frequency (RF) homing signal inorder to enable unit 48 to be located and retrieved following a disasterevent. Typically, homing device 72 begins to operate when unit 48detects that a disaster event occurred.

In some embodiments, control unit 64 of unit 48 comprises a detectionmechanism that detects disaster events. For example, the detectionmechanism may detect the absence of electrical power and/orcommunication with processor 44, conclude that a disaster even occurred,and as a result activate homing device 72. Device 72 may comprise anactive, passive or semi-active homing device.

In some embodiments, homing device 72 is powered by a power source 82.Power source 82 may comprise a rechargeable battery, which is charged byelectrical power provided via interface 68 during normal systemoperation. Alternatively, power source 82 may comprise any othersuitable battery. In some embodiments, power source 82 is used to powercontrol unit 64 and/or memory 60.

In some embodiments, unit 48 comprises a wireless transmitter 76 coupledto a communication antenna 78. Transmitter 76 is typically powered bypower source 82.

Transmitter 76 is used for transmitting the records stored in memory 60to a wireless receiver 84, when the communication between unit 48 andprocessor 44 is broken due to a disaster event. As such, transmitter 76and antenna 78 serve as alternative communication means for transmittinginformation from unit 48. Using the wireless channel, data stored in thesecure storage unit can be retrieved and reconstructed within minutes.The other retrieval methods, which involve physically locating andretrieving the secure storage unit and may involve detaching memory 60from the unit, may sometimes take several hours or even days.

Transmitter 76 may comprise, for example, a cellular transmitter, aWiMax transmitter, or any other suitable data transmitter type. Wirelessreceiver 84 is coupled to a receiving antenna 85. Receiver 84 andantenna 85 may be connected to secondary storage device 32 or torecovery processor 56. An exemplary data protection method that uses thealternative communication link is shown in FIG. 5 below.

In some embodiments in which two or more secure storage units are usedin a redundant configuration, such as in the configuration of FIG. 1Aabove, the wireless transmitter in each unit 48 is typically assigned adifferent communication channel so as to avoid collisions among thetransmissions of neighboring wireless transmitters. Additionally oralternatively, similar channel coordination may be performed for thehoming devices 72 of neighboring units 48.

In order to shorten the time needed for transferring the data over thewireless channel, receiver 84 may be configured to receive two or morewireless channels in parallel. When the two or more secure storage unitsbegin transmitting, the receiver may choose to receive thesetransmissions simultaneously, thus receiving different parts of the datafrom each of the secure storage units.

When two or more secure storage units 48 are used, differenttransmitters 76 in different units 48 may be configured to transmit ondifferent networks (e.g., cellular networks of different serviceproviders). This network diversity increases the likelihood ofsuccessful data transfer even when a particular wireless network failsduring the disaster.

In some embodiments, the functions of homing device 72, transmitter 76,and antennas 74 and 78 can be performed by a single transmitter and asingle antenna. For example, several methods are known in the art fordetermining the position of a cellular transmitter. Such methods can beused to locate wireless transmitter 76 when it transmits data from unit48, thus eliminating the need for a separate homing device.

FIG. 3 is a schematic, pictorial illustration of secure storage unit 48,in accordance with an embodiment of the present invention. In theexemplary mechanical configuration of FIG. 3, unit 48 is packaged in areinforced, disaster-proof enclosure 86. In some embodiments, enclosure86 may comprise a hermetically-sealed, fire-proof,vibration/shock-proof, lightning-proof, radiation-proof, vandal-proofand/or water resistant enclosure. As noted above, in some embodimentssystem 20 comprises two or more such units 48, in order to increase theprobability of at least one unit surviving the disaster event.

Interface circuit 68, in this embodiment comprising a USB connector, isshown on the front panel of the unit. Control unit 64, homing device 72and transmitter 76 are assembled on three printed circuit boards (PCB),mounted on a motherboard 90. Memory 60 in the present example in mountedon the PCB of control unit 64. Power source 82, in the present examplecomprising a battery, is mounted on motherboard 90 adjacent to the PCBs.Antennas 74 and 78 are shown mounted on the top panel. The mechanicaloutline of FIG. 3 is shown purely as an exemplary configuration. Anyother suitable mechanical and/or electrical configuration can also beused.

In some scenarios, a disaster event may damage unit 48 and prevent itsconnection to the recovery machine, even though the data stored inmemory 60 is unharmed. For example, the USB connector may be damaged. Inorder to enable access to the data, in some embodiments, memory 60 (andpossibly additional elements of unit 48) is made easily detachable fromenclosure 86. In these embodiments, memory 60 can be easily removed andmounted in another unit 48. Then, the unit can be connected to therecovery processor and its data retrieved. For example, memory 60 maycomprise a removable memory card inserted into a suitable socket in unit48, such as is used in digital cameras.

Additionally or alternatively, homing device 72 and/or transmitter 76can be assembled as detachable units, so that these units can bereplaced to suit different communication standards, local frequencyallocations and/or other regulatory constraints.

In some embodiments, antenna 74 and/or antenna 78 is normally folded orotherwise fitted inside enclosure 86, so as to reduce its exposure tothe disaster event. In these embodiments, only after the disaster eventis detected, the antenna is unfolded or otherwise extended out ofenclosure 86 to enable transmission. Further additionally oralternatively, any other suitable configuration of unit 48 can be used.As previously noted, the disaster event can be detected by control unit64 by detecting a loss of communication and/or electrical power.

Protection Method Descriptions

FIG. 4 is a flow chart that schematically illustrates a method for dataprotection, in accordance with an embodiment of the present invention.The description below outlines a typical transaction in which data isreplicated and stored in the primary and secondary storage devices. Inorder to ensure guaranteed storage in the secondary storage device, thedata is temporarily cached in secure storage devices 48.

The method begins with mirroring application 36 accepting a writecommand from one of data sources 24, in the present example aserver-based IT application, at a command acceptance step 100. The writecommand comprises data to be stored. The mirroring application sends thedata to primary storage device 28, at a primary sending step 102. Afterthe primary storage device successfully stores the data, it sends anacknowledgement back to the mirroring application. The mirroringapplication accepts the acknowledgement, at a primary acknowledgementreception step 104.

Protection processor 44 accepts the write command and stores it in oneor more of secure storage devices 48, at a secure caching step 106.Depending on the system configuration used, processor 44 eitherintercepts the write commands sent over communication link 40, monitorsthe communication between mirroring application and the data sources, orreceives all write commands by forwarding from the mirroringapplication. After accepting the write command, processor 44 produces arespective record and stores the record in the secure storage devices.The secure storage devices typically acknowledge the successfulcompletion of the storage operation.

In some embodiments, in addition to the data to be stored, the recordcomprises additional information. Such additional information maycomprise, for example, a communication address of the data source thatoriginated the write command, a communication address of the primarystorage device, a time stamp indicating the time in which the writecommand was accepted, a storage address in the primary storage deviceintended for the data, and/or any additional parameters associated withthe write command.

Before, during or after the temporary storage of the record in units 48,the mirroring application sends the data for storage in secondarystorage device 32, at a secondary sending step 108. Provided that therecords are successfully stored in units 48, the mirroring applicationsends an acknowledgement to the originating data source 24, at anasynchronous acknowledgement step 110.

Processor 44 checks whether an acknowledgement from the secondarystorage device was received, at a secondary acknowledgement checkingstep 112. Until such acknowledgement is received, processor 44 maintainsthe respective record cached in secure storage units 48, possiblyhandling other write commands meanwhile. When an acknowledgement isreceived from secondary storage device 32, processor 44 deletes therespective record from units 48, at a record deletion step 114.

The sequence of steps 100-114 above describes the processing of a singlewrite command. Typically, mirroring application 36 and protectionprocessor 44 simultaneously process multiple such sequencescorresponding to multiple write commands. In some embodiments, thesequence of steps above can be carried out in different orders. Forexample, once a write command is received by the mirroring application,the data can be sent to the primary and secondary storage devices, andonly then a record may be stored in units 48. Some of the steps can becarried out in parallel. For example, storing the write command in thesecure storage unit can be performed in parallel to sending the commandto the primary and/or secondary storage device.

In some embodiments, the data protection method carried out by processor44 is described by the following pseudo-code:

FOR every write operation received from a data source DO

-   -   {Allocate a buffer frame within memory 60 of units 48 and return        a pointer to this buffer denoted BufferFrame.        -   Write the corresponding record to the buffer pointed to by            BufferFrame.}

Of course, memory 60 in units 48 has a finite size and can onlyaccommodate a finite number of records. In some embodiments, beforestoring a newly-created record, processor 44 checks whether sufficientmemory space is available in memory 60 to hold the new record. Ifinsufficient memory is available, processor 44 deletes one or moreprevious records from memory 60 in order to free memory space for thenew record. In some embodiments, the processor deletes the oldestrecords in memory 60. In some embodiments, the memory management processcarried out by processor 44 can be described by the followingpseudo-code:

IF free buffer entries within memory 60 exist THEN

-   -   {Allocate a free entry buffer for new record. Return pointer        BufferFrame pointing to the free buffer.}

ELSE

-   -   {Locate record X having data which resides in memory 60 for the        longest period of time.        -   Discard record X from memory 60.        -   Allocate a free buffer entry to new record.        -   Return BufferFrame pointing to free buffer entry}

When performing recovery of the data using the records stored in units60, the data recovery process can be described by the followingpseudo-code:

FOR the data in each record stored in memory 60

DO

-   -   {Read the data of each record in the order in which it was        originally stored.        -   Based on the storage address in the record, write the data            to the appropriate address in the secondary storage device.}

FIG. 5 is a flow chart that schematically illustrates a method for dataprotection using early disaster detection, in accordance with anotherembodiment of the present invention. The method begins with protectionprocessor 44 predicting a developing or approaching disaster event (or amanual activation by a user), at an early detection step 120. In someembodiments, processor 44 analyzes the environmental conditions sensedby sensors 52, as described above, and detects a developing disasterevent responsively to the sensed conditions.

When a developing disaster event is detected, processor 44 instructs themirroring application to stop forwarding write commands to the primarystorage device, at a write rejection step 122. Stopping the writeoperations is particularly important in earthquake conditions, sinceperforming write operations in the presence of mechanical shocks andvibrations may be harmful to the storage device.

Since processor 44 predicts that the primary site is about to be hit bya disaster event, it instructs the mirroring application to stopaccepting write commands from data sources 24. In some embodiments, theprotection processor stops sending acknowledgements to the mirroringapplication. As a result, the mirroring application stops accepting newwrite commands from data sources 24. The protection processor can alsouse the acknowledgement mechanism to control the rate in which writecommands are accepted from the data sources after predicting thedisaster event.

In some embodiments, in particular when some of the data sent by datasources 24 is considered important for investigating the disaster event,some data sources (e.g., security cameras) may still be allowed to storedata while other data sources (e.g., IT systems) may be declined. Inthese embodiments, data whose storage is allowed to continue is writtento secure storage unit 48 until memory 60 is full.

Having detected an approaching disaster event, processor 44 attempts touse the remaining time for transmitting the data cached in units 48before the disaster event hits the primary site. Processor 44 retrievesthe records stored in units 48, at a record retrieval step 124.Processor 44 then checks whether the primary communication connectionwith the secondary site (i.e., communication link 40) is stilloperative, at a primary communication checking step 126. As long as link40 remains operative, processor 44 uses this link to transmit therecords to the secondary site, at a primary transmission step 128.

Otherwise, if the primary link is already inoperative, processor 44instructs units 48 to transmit the records using the alternativecommunication link, i.e., using wireless transmitters 76, at analternative transmission step 130. Additionally or alternatively, asnoted above, if a particular unit 48 senses a loss of communicationand/or electrical power, it begins transmitting the records stored inmemory 60 using transmitter 76.

Although the embodiments described herein mainly address the use of asecure storage unit for guaranteed mirroring of data, the methods,systems and devices described herein can also be used in additionalapplications. For example, in some systems data is being backed-upperiodically to a storage device. A secure storage unit can be used fortemporarily and securely storing the data produced in the system betweenperiodic backup operations. This automated mechanism can replace theknown practice of manually placing backup tapes or disks in adisaster-proof safe or at a distant location.

It will thus be appreciated that the embodiments described above arecited by way of example, and that the present invention is not limitedto what has been particularly shown and described hereinabove. Rather,the scope of the present invention includes both combinations andsub-combinations of the various features described hereinabove, as wellas variations and modifications thereof which would occur to personsskilled in the art upon reading the foregoing description and which arenot disclosed in the prior art.

1. A method for data protection, comprising: accepting data for storagefrom one or more data sources; sending the data for storage in a primarystorage device located at a local site, and in a secondary storagedevice located at a remote site; while awaiting an indication ofsuccessful storage of the data in the secondary storage device,temporarily storing a record associated with the data in adisaster-proof storage unit collocated with the primary storage deviceat the local site; and when an event damaging at least some of the datain the primary storage device occurs, reconstructing the data using therecord stored in the disaster-proof storage unit and at least part ofthe data stored in the secondary storage device.
 2. The method accordingto claim 1, wherein temporarily storing the record comprises sending anacknowledgement to the one or more data sources responsively to asuccessful caching of the record in the disaster-proof storage unit,without waiting to receive the indication of the successful storage ofthe data in the secondary storage device, so as to reduce a transactionlatency associated with the storage of the data.
 3. The method accordingto claim 1, wherein temporarily storing the record comprises receivingan acknowledgement from the secondary storage device acknowledging thesuccessful storage of the data in the secondary storage device, anddeleting the record from the disaster-proof storage unit responsively tothe acknowledgement.
 4. The method according to claim 1, whereinreconstructing the data comprises retrieving the disaster-proof storageunit following the event, extracting the record from the disaster-proofstorage unit and writing the data associated with the record to thesecondary storage device.
 5. The method according to claim 4, whereinwriting the data comprises remotely connecting the disaster-proofstorage unit to the secondary storage device.
 6. The method according toclaim 1, wherein the disaster-proof storage unit comprises a removablememory device for holding the record, and wherein reconstructing thedata comprises, when the disaster-proof storage unit is damaged by theevent, removing the memory device from the disaster-proof storage unitand installing the memory device in another unit for readout of therecord.
 7. The method according to claim 1, and comprising detecting theevent using a detection mechanism in the disaster-proof storage unit,and modifying operation of the disaster-proof storage unit responsivelyto detecting the event.
 8. The method according to claim 7, whereindetecting the event comprises detecting at least one of a loss ofexternal electrical power supply and a communication failure at thedisaster-proof storage unit.
 9. The method according to claim 7, whereinmodifying the operation comprises transmitting the record from thedisaster-proof storage unit over a wireless communication link.
 10. Themethod according to claim 9, wherein temporarily storing the recordcomprises storing the record in two or more disaster-proof storageunits, and wherein transmitting the record comprises transmitting two ormore different parts of the record respectively from the two or moredisaster-proof storage units over respective wireless links so as toshorten a transmission time of the record.
 11. The method according toclaim 7, wherein modifying the operation comprises transmitting a homingsignal from the disaster-proof storage unit, so as to enable locationand retrieval of the disaster-proof storage unit.
 12. The methodaccording to claim 1, wherein reconstructing the data comprises: sensingan environmental condition using an environmental sensor; prior tooccurrence of the event, predicting the event responsively to the sensedenvironmental condition; and after predicting the event, transmittingthe record from the disaster-proof storage unit using at least one of awired connection and a wireless connection.
 13. The method according toclaim 12, wherein sensing the environmental condition comprisesaccepting a manual indication from a user that indicates the event. 14.The method according to claim 12, wherein temporarily storing the recordcomprises sending an acknowledgement message responsively to asuccessful storage of the record in the disaster-proof storage unit, andcomprising, after predicting the event, refraining from sendingsubsequent acknowledgement messages so as to avoid accepting additionaldata from the one or more data sources.
 15. The method according toclaim 12, and comprising, after predicting the event, refraining fromsending subsequent data for storage in the primary storage device. 16.The method according to claim 12, wherein the one or more data sourcescomprise at least two data sources, and comprising, after predicting theevent, temporarily storing in the disaster-proof storage unit onlysubsequent records associated with data originating from a subset of theat least two data sources.
 17. The method according to claim 1, whereintemporarily storing the record comprises avoiding exceeding a memorycapacity in the disaster-proof storage unit by matching the memorycapacity with at least one of a maximum allowed size of data pending foracknowledgement by the secondary storage device and a maximum number ofwrite commands pending for storage in the secondary storage device. 18.The method according to claim 1, wherein temporarily storing the recordcomprises including in the record additional information related to thedata, the additional information comprising at least one of an addressof an originating data source, an address of the primary storage device,a time stamp indicating an acceptance time of the data and a storageaddress intended for the data in the primary storage device.
 19. Asystem for data protection, comprising: one or more data sources, whichare arranged to send data for storage; primary and secondary storagedevices, which are located in a local site and a remote site,respectively, and are arranged to hold the data; and a disaster-proofstorage unit, which is collocated with the primary storage device at thelocal site and which is arranged to temporarily store a recordassociated with the data while awaiting an indication of a successfulstorage of the data in the secondary storage device, and when an eventdamaging at least some of the data in the primary storage device occurs,to provide the record so as to enable reconstruction of the data usingthe record stored in the disaster-proof storage unit and at least partof the data stored in the secondary storage device.
 20. The systemaccording to claim 19, and comprising: an environmental sensor, which isarranged to sense an environmental condition in a vicinity of theprimary storage device; and a processor, which is arranged to predictthe event, prior to occurrence of the event, responsively to the sensedenvironmental condition and, after predicting the event, to instruct thedisaster-proof storage unit to transmit the record using at least one ofa wired connection and a wireless connection.
 21. Apparatus forprotecting data sent for storage in primary and secondary storagedevices, comprising: a disaster-proof storage unit, which is collocatedwith the primary storage device at a local site and which comprises: adisaster-proof enclosure, which is arranged to protect componentscontained therein against disaster events; a memory device contained inthe enclosure, which is arranged to temporarily hold a record associatedwith the data while awaiting an indication of successful storage of thedata in the secondary storage device; and a control unit, which isarranged, when an event damaging at least some of the data in theprimary storage device occurs, to provide the record so as to enablereconstruction of the data using the record stored in the memory deviceand at least part of the data stored in the secondary storage device; asensor, which is arranged to sense an environmental condition in avicinity of the primary storage device; and a protection processor,which is arranged to predict the event, prior to occurrence of theevent, responsively to the sensed environmental condition and,responsively to predicting the event, to instruct the disaster-proofstorage unit to transmit the record so as to protect the data.
 22. Theapparatus according to claim 21, wherein the control unit is arranged todelete the record from the memory device responsively to anacknowledgement from the secondary storage device acknowledging thesuccessful storage of the data in the secondary storage device.
 23. Theapparatus according to claim 21, wherein the control unit is arranged tocommunicate with the secondary storage device in order to provide therecord so as to reconstruct the data.
 24. The apparatus according toclaim 21, wherein the memory device comprises at least one of anon-volatile memory device and a removable memory device.
 25. Theapparatus according to claim 21, wherein the control unit comprises adetection mechanism for detecting the event, and wherein the controlunit is arranged to modify operation of the disaster-proof storage unitresponsively to detecting the event.
 26. The apparatus according toclaim 25, wherein the detection mechanism is arranged to detect at leastone of a loss of external electrical power supply and a communicationfailure at the disaster-proof storage unit.
 27. The apparatus accordingto claim 25, wherein the disaster-proof storage unit further comprises awireless transmitter, which is arranged to transmit the record from thedisaster-proof storage unit responsively to detecting the event.
 28. Theapparatus according to claim 27, wherein the disaster-proof storage unitis one of two or more disaster-proof storage units, which are arrangedto transmit respectively two or more different parts of the record overrespective wireless links so as to shorten a transmission time of therecord.
 29. The apparatus according to claim 25, wherein thedisaster-proof storage unit further comprises a homing device, which isarranged to transmit a homing signal from the disaster-proof storageunit responsively to detecting the event, so as to enable location andretrieval of the disaster-proof storage unit.
 30. The apparatusaccording to claim 21, wherein the record comprises additionalinformation related to the data, the additional information comprisingat least one of an address of an originating data source, an address ofthe primary storage device, a time stamp indicating an acceptance timeof the data and a storage address intended for the data in the primarystorage device.
 31. The apparatus according to claim 21, wherein thesensor is arranged to accept a manual indication from a user so as topredict the event.
 32. The apparatus according to claim 21, wherein thedata is accepted from one or more data sources, and wherein theprotection processor is arranged to send an acknowledgement messageresponsively to a successful storage of the record in the disaster-proofstorage unit and to refrain from sending subsequent acknowledgementmessages after predicting the event so at to avoid accepting additionaldata from the one or more data sources.
 33. The apparatus according toclaim 21, wherein the data is accepted from one or more data sources,and wherein the protection processor is arranged to control a rate ofthe data accepted from the one or more data sources after predicting theevent.
 34. The apparatus according to claim 21, wherein the data isaccepted from at least two data sources, and wherein the protectionprocessor is arranged to send for temporary storage in thedisaster-proof storage unit only subsequent records associated with dataoriginating from a subset of the at least two data sources afterpredicting the event.
 35. The apparatus according to claim 21, wherein acapacity of the memory device is matched to a maximum allowed size ofdata pending for acknowledgement by the secondary storage device so asto avoid exceeding the memory capacity.